I know I'm running a very old OS, unfortunately the device isn't
supported and my boss refuses (due to cost) to add support for PIX. So
I'm stuck with what I have.


vbwilliams@neb.rr.com wrote:

>Couldn't tell you why it happened...but you should check to see if
>maybe there was a bug from 6.3(1) to maybe 6.3(5) that would cause
>something like this. You're running a PIX OS that is over 3 years
>old. I would imagine that running something recent might fix this
>issue as well as a bunch you haven't even come across yet.
>Victor Williams
>Network Architect
>----- Original Message -----
>From: Paolo Supino
>Date: Tuesday, July 25, 2006 2:39 pm
>Subject: [fw-wiz] PI X PPTP stopped working
>To: Firewall Wizards Security Mailing List >wizards@listserv.cybertrust.com>
>> A very strange thing happened to me today: A PIX firewall I
>>stopped accepting PPTP connections. The only thing that happened
>>it stopped responding to PPTP connection was that I ran nmap
>>scanner on
>>the subnet this PIX is on (to try and find out whether someone
>>to start another computer on it. Apart from this nothing has
>>changed on
>>this subnet for a while including the PIX' configuration. Trying
>>telnet to port 1723 gives the error: "Could not open a connection
>>host on port 1723 : Connection failed". Any help solving this
>>will greatly appreciated.
>>the PIX configuration is (IP addresses, names and password hashes
>>changed to protect the innocent):
>>: Written by enable_15 at 12:06:45.250 EDT Fri Jun 29 2006
>>PIX Version 6.3(1)
>>interface ethernet0 auto
>>interface ethernet1 auto
>>interface ethernet2 auto
>>nameif ethernet0 outside security0
>>nameif ethernet1 inside security100
>>nameif ethernet2 dmz security50
>>enable password 1234567890 encrypted
>>passwd 0987654321 encrypted
>>hostname fw1
>>domain-name supernova.com
>>clock timezone PST -8
>>clock summer-time PDT recurring
>>fixup protocol ftp 21
>>fixup protocol h323 h225 1720
>>fixup protocol h323 ras 1718-1719
>>fixup protocol http 80
>>fixup protocol ils 389
>>fixup protocol rsh 514
>>fixup protocol rtsp 554
>>fixup protocol sip 5060
>>fixup protocol sip udp 5060
>>fixup protocol sip udp 5060
>>fixup protocol skinny 2000
>>fixup protocol smtp 25
>>fixup protocol sqlnet 1521
>>name JANEPC
>>name JOHNPC
>>object-group service SRVCGRP1 tcp
>> port-object eq ftp-data
>> port-object eq ftp
>> port-object eq www
>> port-object eq 990
>> port-object eq https
>> port-object range 23054 23154
>>object-group service SRVCGRP2 tcp
>> port-object eq 28
>> port-object eq 27
>> port-object eq ftp-data
>> port-object eq ftp
>> port-object eq www
>> port-object eq https
>>object-group service SRVCGRP3 tcp
>> port-object eq ftp
>> port-object eq ftp-data
>> port-object eq https
>> port-object eq www
>>access-list OUTIN permit tcp any host object-group
>>SRVCGRP1access-list OUTIN permit tcp any host object-
>>group SRVCGRP2
>>access-list OUTIN permit icmp any any
>>access-list OUTIN permit tcp any host object-group
>>SRVCGRP3access-list INOUTNAT0ACL permit ip
>>access-list INOUTNAT0ACL permit ip
>>access-list DMZOUTNAT0ACL permit ip
>>access-list DMZOUTNAT0ACL permit ip
>>access-list VPN0SPLITTUNNELACL permit ip any
>>access-list VPN0SPLITTUNNELACL permit ip any
>>pager lines 24
>>logging on
>>logging trap informational
>>icmp permit any outside
>>icmp permit any inside
>>mtu outside 1500
>>mtu inside 1500
>>mtu dmz 1500
>>ip address outside
>>ip address inside
>>ip address dmz
>>ip audit info action alarm
>>ip audit attack action alarm
>>ip local pool VPNIPPOOL
>>ip local pool x
>>pdm location inside
>>pdm logging debugging 300
>>pdm history enable
>>arp timeout 14400
>>global (outside) 1 interface
>>nat (inside) 0 access-list INOUTNAT0ACL
>>nat (inside) 1 dns 0 0
>>nat (dmz) 0 access-list dmz_outbound_nat0_acl
>>static (inside,outside) dns netmask
>> 0 0
>>static (inside,outside) dns netmask
>> 0 0
>>static (inside,outside) dns netmask
>> 0 0
>>static (inside,outside) dns netmask
>> 0 0
>>static (inside,outside) netmask
>> 0 0
>>static (inside,outside) netmask
>> 0 0
>>static (inside,outside) netmask
>> 0 0
>>access-group OUTINACCESS in interface outside
>>route outside 1
>>timeout xlate 3:00:00
>>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
>>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
>>timeout uauth 0:05:00 absolute
>>aaa-server TACACS+ protocol tacacs+
>>aaa-server RADIUS protocol radius
>>aaa-server LOCAL protocol local
>>http server enable
>>http inside
>>no snmp-server location
>>no snmp-server contact
>>snmp-server community public
>>no snmp-server enable traps
>>floodguard enable
>>sysopt connection permit-ipsec
>>sysopt connection permit-pptp
>>sysopt connection permit-l2tp
>>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
>>crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
>>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
>>crypto map outside_map interface outside
>>isakmp enable outside
>>isakmp policy 20 authentication pre-share
>>isakmp policy 20 encryption 3des
>>isakmp policy 20 hash md5
>>isakmp policy 20 group 2
>>isakmp policy 20 lifetime 86400
>>vpngroup VPN0 dns-server
>>vpngroup VPN0 default-domain supernova.com
>>vpngroup VPN0 split-tunnel VPN0SPLITTUNNELACL
>>vpngroup VPN0 idle-time 1800
>>vpngroup VPN0 password ********
>>telnet inside
>>telnet timeout 5
>>ssh inside
>>ssh timeout 5
>>console timeout 0
>>vpdn group VPN1 accept dialin pptp
>>vpdn group VPN1 ppp authentication pap
>>vpdn group VPN1 ppp authentication chap
>>vpdn group VPN1 ppp authentication mschap
>>vpdn group VPN1 ppp encryption mppe auto
>>vpdn group VPN1 client configuration address local VPNIPPOOL
>>vpdn group VPN1 client configuration dns
>> group VPN1 pptp echo 300
>>vpdn group VPN1 client authentication local
>>vpdn username user1 password ********
>>vpdn username user2 password ********
>>vpdn username user3 password ********
>>vpdn username user4 password ********
>>vpdn enable outside
>>username administrator password 0123456789 encrypted privilege 15
>>terminal width 80
>>Cryptochecksum: 00000000000000000000000000000000
>>firewall-wizards mailing list

>firewall-wizards mailing list

firewall-wizards mailing list